=Paper=
{{Paper
|id=Vol-1580/48
|storemode=property
|title=The Security of Web Services: Secure Communication and Identity Management
|pdfUrl=https://ceur-ws.org/Vol-1580/id48.pdf
|volume=Vol-1580
|authors=Hasnae L’amrani,Younès El Bouzekri El Idrissi,Rachida Ajhoun
|dblpUrl=https://dblp.org/rec/conf/bdca/LamraniIA15
}}
==The Security of Web Services: Secure Communication and Identity Management==
https://ceur-ws.org/Vol-1580/id48.pdf
Proceedings of the International Conference on Big Data, Cloud and Applications
Tetuan, Morocco, May 25 - 26, 2015
The security of web services: Secure communication
and identity management
Hasnae L’AMRANI #1, Younès EL BOUZEKRI EL IDRISSI #2, Rachida AJHOUN #3
#
Higher National School of Computer Science and Systems Analysis (ENSIAS), University Mohamed V, Morocco
1
hasnae90lamranii@gmail.com
3
r.ajhoun@um5s.net.ma
#
National School of Applied Sciences of Kenitra (ENSAK), University Ibn Tofail, Morocco
2
y.elbouzekri@gmail.com
Abstract— Service Oriented Architectures have become the new The most important objectives of this work are:
trend in the world of communication on the web. Especially web
services are the high-performance specification of service-oriented Establish the state of art on the actual service oriented
architectures. The use of confidential data on the Web becomes the
architecture situation, especially, web services
primary problem in the secure communication over the web. The
solution proposed in this paper is a secure communication tool OCS
security issues.
based on the principals of SAML standard and Single Sign-On. Treat authentication problems and detect the major
Our solution proposes a new approach which collaborates strong problems of communication between web services.
points of SAML standard and single sign-on method. The Investigate on web services security standards as
implementation of this approach is in the form of a platform or a much as analyze identity management systems and
tool which provide a secure communication between web services. their most significant models, not only that, but also
Thus, a future approach that exceeds the level of authentication single sign on authentication method.
and address the level of access control, likewise and as a further Prepare an appropriate study about SAML standard as
step, prepare an evaluation of the most important technologies
it is treat authentication level, also do the same with
which provide Single Sign-On possibility and secure
communication context between heterogeneous web services.
single sign-on method.
Propose a new approach which collaborates strong
Keywords: SOA - web services – SAML – SSO – secured point of SAML standard and single sign-on method.
communication – security tokens - Secure communication tool on The implementation of this approach is in the form of
the web (OCS) - Shibboleth. a platform or a tool which provide a secure
communication between web services.
I. INTRODUCTION In what follows, we will see all concepts related to service-
oriented architectures, web services, subsequently the security
Currently, online banking exchange, sending confidential
of web services and in particular, the standards for the safety of
email, online trade, the exchange of government information on
web services, SAML standard as a technology for a securities
networks is all at risk network uses. For these reasons, the
exchange , Single Sign-On and finally we will present our
secured exchange on networks is becoming more necessary
approach entitled secure communication tool (OCS).
than ever. Certainly the use of secure protocols can guarantee a
level of confidentiality, message integrity and user II. SERVICE ORIENTED ARCHITECTURES AND WEB
authentication, but this level still minimal compared to the
value of the information exchanged over the network. For this, SERVICES
the stress of communication between all web services,
There are various ways to define a Service Oriented
distributed over a network, while maintaining the diversity of
Architecture. The majority of these definitions focuses on the
domains and flexibility of data exchange need a deeper
technical aspects of SOA, although others show business
discussion about mechanisms for authentication, and secure
characteristics. SOA is an architecture style that allows the
communication over a network considered vulnerable.
reorganization of the information system. It enables the
The procedure of authentication, based SSO protocol (Single
encapsulation of an information system functionality into a
Sign-On) could solve the problem of domain change, and re-
loosely coupled service belonging to both a business and
authenticate with every area of change (Cross-Domain)
technical levels of the company [1].
required for distributed applications. Furthermore, the
Web services are modular applications that can be made,
combination of SSO with the secure exchange of confidential
published, located, and invoked automatically in a web. Thus,
data, and a good identity management can improve safety
applications can make use of features located on other
communications in web services.
machines in other applications. In the end, we can say that the
original purpose of a Web service is to make possible the use
of an application component in a distributed way.
56
� III. WEB SERVICES SECURITY standard in other words XACML complement SAML to
provide the authorization service.
In recent years, under the impulse of major participants like
IBM and Microsoft, some work aims to fill gaps of web WS-Trust Standard:
services security. Some of the evolutions of these actors,
WS-Trust is based on the WS-Security security mechanisms
creation and investment in the field of standardization and and defines a model for the establishment and maintain trusted
standardization results agreed on standards for web services relationships across security domains. In service-oriented
security. There is a usual of standards for the security of web architectures, confidence usually involves the emission,
services and identity management models.
exchange and validation of security tokens to control access for
specific services.
A. The standard of web services security
WS-SecureConversation Standard:
A standard is a repository published by a private entity
WS-SecureConversation standard allows a
other than a national or international standards body or not
secure communication and a confidential communication. It
approved by one of these organizations for a national or
uses public key for the exchange session keys and specifies the
international standard [2].
mechanisms for establishing and sharing security contexts. This
Many standards and recommendations have been
protocol associated with the application level is the equivalent
developed in the field of security of web services. IBM and
of SSL at the transport level [3].
Microsoft have prepared the documents describing the
technical strategy and roadmap for integrating security
architecture based on web services security. B. Identity management models
Developed standards concern the establishment of a trust
network, the definition of security policies, and To address the problem of multiple user accounts for each
implementation of access control... [3]. service used, and the great effort of memorizing passwords for
these accounts, different identity management models was
developed. The notion of identity management requires an
WS-Secure WS- WS- ensemble of models to meet the requirements interested
Conversation Federation Authorization organizations:
XACML
WS-Security model Description
WS-Trust WS-Privacy
Policy isolated model In this model, each service provider
(FS) has the responsibility for
WS-Security SAML managing the identity of each of its
users. FS deploys its own identity
XML-Encryption XML-Digital Signature management system (IMS) taking into
account the complexity and
functionality defined by the
Figure 1: standard of web services security organization. It is very difficult for FS,
to integrate these IMS to provide
The figure identifies security standards of web services that coordinated services [7].
we present some of them: centralized model This model is based on the single
storage of digital identities. The user
SAML Standard: can authenticate with all service
SAML standard (Security Assertion Markup Language) V2.0 providers using the same identity [7].
[4] was designed by OASIS as a framework for the exchange federated model In the federated model, the saved
and propagation of safety information between trusted partners. identities in different service providers
The security information’s are expressed as assertions about are linked through pseudonyms. The
entities with an identity in the security domain. Assertions can entities that make up the federation
provide information on the attributes of the features on form a Circle of Trust (CC)
authentication already made or authorization decisions related establishing trust relationships [7].
to specific resources [5]. User-centric This model has been designed to give
model users more control over their personal
XACML Standard: data. Indeed, they can select the
XACML defines a language for the formulation of access identity provider that suits them and
control policies. It specifies the necessary features for the choose the identity to use to access the
treatment of these policies and a data flow model of the different services [7].
functional components for the infrastructure. XACML provides
authorization mechanisms that are transferred by SAML Table 1: A different identity management models
57
� IV. SECURE COMMUNICATION AND SINGLE SIGN-ON
Before beginning the concept of single sign-on and the
secure communication, it is necessary to say that our goal is to
see the usefulness of the combination of these two important
climbed in terms of improving the web service security.
A. Single Sign-On (SSO) :
The Single Sign-On is a process that allows a user to
authenticate once to access multiple applications or resources.
Figure 3: SAML components
SAML standard is used for secure information exchange
between business partners online. SAML manages the
information needed to authenticate and exchange processes
between partners. These exchanges are based on assertions,
protocols, bindings and SAML standard profiles.
V. THE SECURE COMMUNICATION TOOL : OCS
After studying single sign-on and SAML standard, we have
proposed a solution which is based on these two technologies.
Figure 2: architecture of SSO This solution is a tool that allows secure communication
between web services. Also, it ensures single sign-on between
This is a simplified model of single sign-on that shows the different services.
radical principle of it. We note that the user may have access to
all the resources of both applications. A single authentication A. Functional principle
guarantee repeated access to the resources.
B. Secure communication based on SAML A tool for Secure Communications (OCS) brings together
the strengths of these technologies point, this tool allows a
In this contribution, we were choosing to focus our work on demand and supply of services in a secure way. The figure
authentication level and as we explained above, SAML below explains the general principle of operation of the
standard has treated authentication problems by securing the proposed tool.
message’s contents. For those reasons, we will explain in
details Security Assertion Markup Language standard.
So, communication between different remote services,
concern for safety, plays an important role in the design of
strong and effective safety standards.
SAML standard, namely Security Assertion Markup
Language, is dedicated to helping developers for making
security contexts over the application-level for the
communications based on computers or between security
domains. In this function SAML standard transfer
authentication data that take care of terminal capacity to protect
against illegitimate uses systems.
For the parts of SAML standard standards are illustrated in
the diagram below:
58
� Service Request:
User request one of the services provided on the web services
portal, he must to choice one of those services and send his
request.
Redirect authentication:
After Service Request step, the user is redirected to the
authentication portal where he can log in for reach the access to
the service demanded.
Checking the user account;
When the user’s credentials are received, we check if this
user is identified in our Identity Provider or not, else according
to their situation he will be redirected to these services wanted
or to the inscription portal.
Redirection to the desired service:
The user who had the appropriate privilege is directly
redirected to resources requested, and he can access to other
services in a secure way, because this passage from one service
to another is based on security tokens.
Figure 4: Principle of functioning of the proposed tool Registration of new users:
The user who is not registered in our Identity provider must
The user before reaching the desired service passes through continue the registration process, then we will evaluate his
a series of steps to finally get to use it. The steps in this process account and, after that, we will decide to validate or reject his
are divided as follows: inscription.
Service Request; ; Validation of new users;
Redirect authentication; Actually, the administrator is the one who validates or reject
the user’s inscription and he can also disable some account
Checking the user account; temporarily.
Redirection to the desired service;
Redirect requested service;
Registration of new users; When the new user account is valid, he will be directly
Validation of new users; redirected to the service which he requested, and commence to
have the same privileges of the old users.
Redirect requested service;
The table below presents the objectives achieved and not
B. Implementation achieved after the development of the SCO tool:
The establishment of a practical solution, developed by Objectives Satisfied Unsatisfied
ourselves was our goal. The developed tool provides a roadmap Secure communication yes
for users who want to access the web services by keeping the between web services
confidentiality of their private data. Web services developers based Tokens
can take this tool as a starting Framework, and then Transparent transition yes
simultaneously enrich and improve its level of security. between the different web
In what below, we will explain how we had implemented our services available
approach and give more details about every step mentioned Encryption passwords in yes
above. the database
Centralized authentication yes
OCS tool is a framework based JEE language and contain a in the identity provider
list of web services distributed on different applications. Single Sign-On based on yes
Our tool provides the following processes to access and security Tokens
manipulate web service functionalities. Sends of authentication Not yet
data for the first
59
� connection on a secure REFERENCES
way [1] «Interconnexion des processus Interentreprises : une
approche orientée services».
Table 2: Assessment of satisfaction for OCS tool [2]
«http://fr.wikipedia.org/wiki/Norme_et_standard_tec
This evaluation isn’t a fixed point of view, it supports a lot hniques#Standard,» [En ligne].
of modifications, however, our tool is still in the amelioration [3] P. B. Nassar, «Gestion de la sécurité dans une
and we continue to supply it with news ideas and propositions. infrastructure de services dynamique : Une approche par
gestion des risques,» 2012.
VI. FUTURE WORK [4] U. i. d. t.-S. D. L. N. D. L'UIT, «Langage de balisage
The establishment of a secure communication between the d'assertion de sécurité (SAML2.0)». Brevet X.1141, 13
service and its users is a very complicated mission. In order to juin 2006.
achieve the success, it should not stop at a minimum safety [5] M. E. Hughes J., «Security Assertion Markup
level, moreover, looking for other more effective solutions. Language (SAML) V2. 0,» OASIS SSTC Working Draft,
In this paper, we examined the SSO technology and the SAML 2005.
standard, thereafter we developed a tool for secure [6] M. U. FRAGOSO-RODRIGUEZ, «Modèle de
communication (OCS) which is inspired by those two Respect de la Vie Privée dans une Architecture d(identié
technologies. fédérée,» 16 décembre 2009.
All the results achieved stops at the authentication level; [7] P. B. Nassar, «Gestion de la sécurité dans une
either by keeping the safe passage for the private information infrastructure de services dynamique : Une approche par
(SAML), or by using single a sign-on (SSO). For all of this and gestion des risques,» 2012.
as a perspective, we propose to expand the circle of research at [8] C. B. e. x. L. G. G. L. Maesano, Services Web en J2EE
the management of the access control. & .NET conception et implémentation, paris: ÉDITIONS
In order to achieve this goal, we plan to investigate EYROLLES 61, bd Saint-Germain 75240 Paris Cedex 05,
in identity federation technology “Shibboleth” more 2003.
thoroughly and compare it with other technologies like OpenID, [9] G. HARRY, «IAM : GESTION DES IDENTITES ET
OAuth... DES ACCES CONCEPTS ET ETATS DE L’ART,» 12
Identity federation, single sign-on systems (SSO), the Septembre 2013..
connection and the disconnection in the SSO systems will be [10] G. Zhenhua, «Research and Implementation of a
our future main research lines. SAML-based SSO module,» Institute of Network
Finally, we contemplate to compare our tool (OCS) with technology, Beijing University of Posts and
other tools such as: shibboleth, OpenID…, to locate the Telecommunications, beging, 21 Décembre 2012.
strength and weakness not just of our proposal but also of the
other technologies.
VII. CONCLUSION
The study of security standards for web services and their
areas of intervention and systems identities management have
enriched our scientific research about web services security.
The extensive studies on the safety standard SAML,
components, operation and threats that target has improved our
knowledge of the safe transfer of data authentication and
authorization on the web. In addition, the SSO brought another
level of security for web services, by reducing the number of
authentications, and subsequently decrease the probability of
interception of private user data.
The proposal of the "OCS" tool is an innovative step,
because it reflects secure connections between clients and
services trade. This tool provides a secure authentication and
communication between the client and the web service and then
have a secure communication context procedure. As an outlook,
adding a distribution server for a security tokens temporary,
specific to each user for each service will be our goal to prevent
attacks like session hijacking and other attacks targeting private
customer data.
60
�